Despite its ubiquity, Internet of Things security still isn’t ready for prime time.
The security of Internet-connected baby monitors got a failing grade from researchers who found critical vulnerabilities in all nine of the models they reviewed.
The weaknesses make it possible for hackers half a world away to perform a host of nefarious actions. They include monitoring live video feeds, changing camera settings, harvesting video clips stored online, and making an unlimited number of additions to the list of users who are authorized to remotely view and control a monitor. Researchers from security firm Rapid7 spent most of 2015 reviewing nine models from eight manufacturers and then scored them on a 250-point scale for overall security. The researchers then translated the scores into standard academic grades. Eight of the models received an F and one got a D. As Kashmir Hill at Fusion points out, the report comes a week after an Indiana couple reported someone hacked their two-year-old’s baby monitor and played the Police’s “Every Breath You Take” followed by “sexual noises.”
Internet of insecure things
The Rapid7 research is the latest to underscore the troubling security involving the “Internet of Things.” The term is applied to everyday devices—including washing machines, thermostats, and cars—that have computing and network capabilities embedded into them. The Rapid7 researchers said they focused on baby monitors because they are widely used and underscored the intensely personal uses IoT devices could serve. The researchers went on to warn that the bugs they found could do much more than allow voyeurs to invade the owners’ personal privacy. The weaknesses could also prove valuable to attackers who target executives of large companies who sometimes work from home or who access monitors from work phones or networks.
“It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel,” they wrote in a report published Wednesday morning. “If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target—like the video baby monitors covered in this paper—can quickly provide a patch to compromise the larger, nominally external, organizational network.”
Internet-connected baby monitors allow parents, grandparents, and other relatives to use their phones and computers to view live video and audio feeds of infants and toddlers as they sleep, eat, and play. Depending on how many cameras a device is connected to, these users can follow children as they move from room to room. The study reviewed the models for standard security weaknesses, such as hard-coded accounts with default passwords, unencrypted video and audio feeds, commands sent in cleartext over the Internet, and the ability to gain unauthorized control throughremote shells and similar interfaces. Here’s a small sample of what they found:
1. The Philips In.Sight B120 establishes a direct connection to the camera’s backend web application onto the public Internet, unencrypted and unauthenticated. By brute forcing the possible hostname and port number combinations used by the third-party service provider, an attacker can locate an exposed camera and is able to watch the live stream, enable remote access (e.g. Telnet), or change the camera settings.
It is important to note that Philips N.V. has been the most responsive of the vendors we approached with the findings of this research and is currently working on a patch that will be made available to customers. The company’s vendor disclosure process is well established and clearly focused on ensuring its devices are safe for consumers. We applaud Philips’ commitment to fixing this vulnerability and their established protocol for handling incoming product vulnerabilities, which included using a documented PGP key to encrypt communications around this sensitive material.
2. The iBaby M6 has a web service issue that allows easy access to other people’s camera details by changing the serial number in a URL string. By abusing this access, filenames of a camera’s recorded video clips (automatically created from a motion or noise alert) can be harvested. Through a simple script, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service.
3. The Summer Infant Baby Zoom Web service contains an issue where the method of adding an authorized viewer to the camera does not require any password or secret key for access to the feed. This means that by iterating through a user identifier on a URL, an attacker can add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing.
The models reviewed included:
- Gyonii (GCW-1010) – $89.34
- iBaby (M3S) – $169.95
- iBaby (M6) – $199.95
- Lens (LL-BC01W) – $54.99
- Philips (B120/37) – $77.54
- Summer (28630) – $199.99
- TRENDnet (TV-IP743SIC) – $69.99
- WiFiBaby (WFB2015) – $259.99
- Withing (WBP01) – $204.60
The researchers went on to warn that a significant percentage of models not reviewed probably contain the same types of weaknesses.
At one level, it’s hard to excuse the manufacturers for shipping a product of such intimate and personal use with such severe vulnerabilities. But at another level, it’s hardly surprising. If Microsoft, Apple, Google, and other companies with core competencies in software struggle so mightily to secure their wares, it only stands to reason these relative newcomers to network connectivity would have even bigger challenges. Most IoT devices run a version of Linux that will be woefully out of date by the time it’s in the homes of the people using it.
The equally alarming finding out of the Rapid7 study is the response of manufactures when they received private reports of the vulnerabilities that were found. With the above-mentioned exception of Philips, none of the others responded with an expected timeline for producing fixes. One unnamed maker was impossible to contact, while several others didn’t respond. Some companies questioned the motives behind the research and asked why they should respond at all.
People who are in the market for a baby monitor should strongly consider getting a model like this one, which offers no Internet connectivity and uses encryption to protect the video and audio stream sent between the camera and a dedicated handset. There’s a reasonable chance even these devices will contain critical weaknesses, but they still represent an improvement over Internet-connected monitors, since attackers will have to be in physical proximity of the people being targeted. Rapid7 advises people who have already bought an Internet-connected device to monitor the manufacturer’s website for any security advisories or patches. The problem with that advice is that people in need of a baby monitor usually have their hands full with other responsibilities.
“We advise individuals to use any camera that has not been fixed for identified issues or weaknesses sparingly—or preferably not at all—until the vendor is able to fully address identified problems,” the researchers wrote in an FAQ. “If a baby monitor allows a password to be changed, the device owner is highly encouraged to ensure that they do so and make a strong password to protect access.”